From 16a611154dc11d73dfa99ae2089a1f1ef45db7f8 Mon Sep 17 00:00:00 2001 From: "Dupuis, Chad" Date: Fri, 2 Jun 2017 12:02:05 -0700 Subject: [PATCH] scsi: qedf: Check if sense buffer has been allocated during completion sc_cmd->sense_buffer is not guaranteed to be allocated so we need to sc_cmd->check if the pointer is NULL before trying to copy anything into it. Fixes the crash: [ 143.793176] [0000:00:00.0]:[qedf_eh_device_reset:626]: LUN RESET Issued... [ 143.802996] BUG: unable to handle kernel NULL pointer dereference at (null) [ 143.803063] IP: qedf_parse_fcp_rsp+0xe2/0x290 [qedf] [ 143.803077] PGD 0 [ 143.803078] P4D 0 [ 143.803103] Oops: 0002 [#1] SMP [ 143.803115] Modules linked in: msr(E) ebtable_filter(E) ebtables(E) ip6table_filter(E) ip6_tables(E) iptable_filter(E) ip_tables(E) x_tables(E) raw(E) scsi_transport_iscsi(E) br_netfilter(E) bridge(E) iscsi_ibft(E) iscsi_boot_sysfs(E) intel_rapl(E) sb_edac(E) x86_pkg_temp_thermal(E) intel_powerclamp(E) coretemp(E) kvm_intel(E) kvm(E) irqbypass(E) crct10dif_pclmul(E) crc32_pclmul(E) xfs(E) ghash_clmulni_intel(E) pcbc(E) aesni_intel(E) aes_x86_64(E) crypto_simd(E) ipmi_ssif(E) glue_helper(E) iTCO_wdt(E) iTCO_vendor_support(E) lpc_ich(E) ipmi_si(E) pcspkr(E) hpilo(E) ioatdma(E) cryptd(E) ipmi_devintf(E) hpwdt(E) mfd_core(E) shpchp(E) dca(E) thermal(E) pcc_cpufreq(E) ipmi_msghandler(E) acpi_cpufreq(E) af_packet(E) btrfs(E) xor(E) raid6_pq(E) sr_mod(E) cdrom(E) ata_generic(E) sd_mod(E) 8021q(E) garp(E) [ 143.803302] stp(E) llc(E) mrp(E) bnx2fc(E) cnic(E) uio(E) mgag200(E) ata_piix(E) i2c_algo_bit(E) drm_kms_helper(E) syscopyarea(E) sysfillrect(E) sysimgblt(E) ahci(E) fb_sys_fops(E) bnx2x(E) qedf(E) serio_raw(E) libahci(E) ttm(E) uhci_hcd(E) ehci_pci(E) qed(E) mdio(E) libcrc32c(E) ehci_hcd(E) crc32c_intel(E) drm(E) libata(E) usbcore(E) tg3(E) ptp(E) hpsa(E) pps_core(E) scsi_transport_sas(E) libphy(E) wmi(E) button(E) fcoe(E) libfcoe(E) libfc(E) scsi_transport_fc(E) sg(E) dm_multipath(E) dm_mod(E) scsi_dh_rdac(E) scsi_dh_emc(E) scsi_dh_alua(E) scsi_mod(E) autofs4(E) [ 143.803438] CPU: 31 PID: 494 Comm: kworker/31:2 Tainted: G E 4.12.0-rc1-69-default+ #1 [ 143.803461] Hardware name: HP ProLiant DL380p Gen8, BIOS P70 08/20/2012 [ 143.803480] Workqueue: qedf_io_wq qedf_fp_io_handler [qedf] [ 143.803496] task: ffff8804181a0000 task.stack: ffffc90003b64000 [ 143.803514] RIP: 0010:qedf_parse_fcp_rsp+0xe2/0x290 [qedf] [ 143.803529] RSP: 0018:ffffc90003b67dc8 EFLAGS: 00010246 [ 143.803544] RAX: 0000000000000000 RBX: ffff880401abdd48 RCX: 000000000000000c [ 143.803563] RDX: 0000000000000060 RSI: ffffffffa039c740 RDI: 0000000000000000 [ 143.803581] RBP: ffffc90003b67df0 R08: ffffffffa039dba8 R09: 0000000000000000 [ 143.803600] R10: 0000000000000000 R11: 0000000000000018 R12: 0000000000000000 [ 143.803619] R13: ffff88040ac80bc8 R14: 0000000000000008 R15: ffff880407c14008 [ 143.803638] FS: 0000000000000000(0000) GS:ffff88043f7c0000(0000) knlGS:0000000000000000 [ 143.804360] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 143.805065] CR2: 0000000000000000 CR3: 0000000001c09000 CR4: 00000000000406e0 [ 143.805753] Call Trace: [ 143.806436] qedf_process_tmf_compl+0x19/0x30 [qedf] [ 143.807124] qedf_process_cqe+0x265/0x280 [qedf] [ 143.807800] qedf_fp_io_handler+0x26/0x60 [qedf] [ 143.808469] process_one_work+0x138/0x370 [ 143.809133] worker_thread+0x4d/0x3b0 [ 143.809797] kthread+0x109/0x140 [ 143.810451] ? rescuer_thread+0x320/0x320 [ 143.811100] ? kthread_park+0x60/0x60 [ 143.811743] ret_from_fork+0x2c/0x40 Signed-off-by: Chad Dupuis Signed-off-by: Martin K. Petersen --- drivers/scsi/qedf/qedf_io.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/scsi/qedf/qedf_io.c b/drivers/scsi/qedf/qedf_io.c index ea37c78..ded3860 100644 --- a/drivers/scsi/qedf/qedf_io.c +++ b/drivers/scsi/qedf/qedf_io.c @@ -1041,10 +1041,13 @@ static void qedf_parse_fcp_rsp(struct qedf_ioreq *io_req, fcp_sns_len = SCSI_SENSE_BUFFERSIZE; } - memset(sc_cmd->sense_buffer, 0, SCSI_SENSE_BUFFERSIZE); - if (fcp_sns_len) - memcpy(sc_cmd->sense_buffer, sense_data, - fcp_sns_len); + /* The sense buffer can be NULL for TMF commands */ + if (sc_cmd->sense_buffer) { + memset(sc_cmd->sense_buffer, 0, SCSI_SENSE_BUFFERSIZE); + if (fcp_sns_len) + memcpy(sc_cmd->sense_buffer, sense_data, + fcp_sns_len); + } } static void qedf_unmap_sg_list(struct qedf_ctx *qedf, struct qedf_ioreq *io_req) -- 2.7.4